MicrosoftDocs
diff --git a/‎articles/defender-for-iot/organizations/how-to-manage-cloud-alerts.md
Lines changed: 10 additions & 3 deletions b/‎articles/defender-for-iot/organizations/how-to-manage-cloud-alerts.md
Lines changed: 10 additions & 3 deletions
diff --git a/‎articles/defender-for-iot/organizations/media/how-to-manage-cloud-alerts/alert-details-aggregated-csv.png
8.96 KB b/‎articles/defender-for-iot/organizations/media/how-to-manage-cloud-alerts/alert-details-aggregated-csv.png
8.96 KB
diff --git a/‎articles/defender-for-iot/organizations/media/how-to-manage-cloud-alerts/alert-details-aggregated-violations.png
533 KB b/‎articles/defender-for-iot/organizations/media/how-to-manage-cloud-alerts/alert-details-aggregated-violations.png
533 KB
diff --git a/‎articles/defender-for-iot/organizations/media/how-to-manage-cloud-alerts/alert-details-aggregated.png
486 KB b/‎articles/defender-for-iot/organizations/media/how-to-manage-cloud-alerts/alert-details-aggregated.png
486 KB
@@ -147,11 +147,18 @@ The file is generated, and you're prompted to save it locally.
 
 ## Remediate aggregated alerts
 
-To reduce alert fatigue, multiple versions of the same alert with identical parameters are listed as one item in the Alerts page. Investigate the alerts and then remediate them using the Learn tab.
+To reduce alert fatigue, multiple versions of the same alert with identical parameters are listed as one item in the Alerts page. As you investigate alerts, an aggregated alert is identified by the *Multiple violations* message that appears under the Source device IP. Use the **Violations** tab to investigate further and the **Take action** tab to remediate the alerts.
+
+1. On the **Alerts** page, select an alert in the grid to display more details in the pane on the right.
+1. For an Aggregated alert the *Multiple violations* message appears underneath the Source device IP address, and the **ViolationCount** will contain a number above 0.
+
+    :::image type="content" source="media/how-to-manage-cloud-alerts/alert-details-aggregated.png" alt-text="Screenshot of the alerts detail pane showing the aggregated alerts message, the ViolationsCount and the Violations tab":::
 
-1. On the **Alerts** page, select an alert in the grid to display more details in the pane on the right. How do we know from the table that this is an aggregated alert?<!-- is there a violations column or -->
 1. Select the **Violations** tab.
-1. Export the data to a CSV file using the **Export** button. Open the file and examine the data.
+1. Export the data to a CSV file using the **Export** button. Open the file and examine the data. For example:
+
+    :::image type="content" source="media/how-to-manage-cloud-alerts/alert-details-aggregated-csv.png" alt-text="Screenshot of the alerts detail pane showing the aggregated alerts message, the ViolationsCount and the Violations tab":::
+
 1. Select the **Take action** tab. Follow the **Remediation steps**.
 1. Select the **Learn** button so that Defender for IoT learns that this doesn't need to create an alert item for this activity in the future.